none
Putting firewall in front of Azure storage

    Question

  • Can one put a firewall (limited incoming access to ranges of IP addresses) in front of Blob storage?
    Wednesday, July 29, 2015 8:13 PM

Answers

All replies

  • Hi Kevin,

    Do you want to limit the access to your Azure Blob Storage?
    I'm afraid a Firewall wouldn't be an option.
    However, you could consider using one of the following:

    • Create and Use a Shared Access Signature: A shared access signature is a URI that grants restricted access rights to containers, blobs, queues, and tables for a specific time interval. By providing a client with a shared access signature, you can enable them to access resources in your storage account without sharing your account key with them.
    • Use a Stored Access Policy: Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

    You could refer the following link for details:
    https://azure.microsoft.com/en-us/documentation/articles/storage-manage-access-to-resources/

    Or you could consider using Storage Explorer to make a Blob or Container Public or Private and control access to it.

    Regards,
    Malar.

    Thursday, July 30, 2015 9:13 AM
  • Malar,

    Thanks for the reply. It isn't so much that I have a problem sharing the access credentials for Blob storage, as that I would like to add an additional layer of security by controlling from which source IP addresses those credentials can be used. 

    I imagine one could put up a tiny VM running Linux and use that to proxy connections to the storage and use the capability of firewalling access to that VM to control things, however, that Blob storage would still be available to any source IP with the credentials it seems. There is no way to add storage which is only accessible from within Azure, is there? How does it work for disk images attached to VMs - they are still in a storage account that one can access from everywhere, right?

    Thursday, July 30, 2015 4:27 PM
  • Hi Kevin. Unfortunately this capability isn't offered now. This is something that is actively being worked on but there is no timeline to share at this moment.
    Monday, August 10, 2015 8:01 PM
    Moderator
  • I'm holding my break to work fast :-)
    Monday, August 10, 2015 8:35 PM